| Author |
Message |
dad7732
Worker
Joined: Mar 18, 2007
Posts: 224
|
 Posted:
Sat Jul 26, 2008 8:27 am |
 
|
Woke up this morning to all modules de-activated on one of my support production servers.
Latest RN and NS
Only thing left in the Main Menu was "Home", everything else was missing. Going into "Administration - Modules" all were de-activated and all of the custom names missing. Modules were still there, just not active. Editing and adding custom names back worked ok, nothing else amiss.
Anybody else see this before? May just be a "fluke" but I don't believe in "flukes" only deliberate flukes. No additional admins added in, no "blocks" registered by NS, etc. Truly a mystery and the red flag is now up.
Cheers, Jay |
Last edited by dad7732 on Sat Jul 26, 2008 4:20 pm; edited 1 time in total |
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 2271
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Sat Jul 26, 2008 9:28 am |
|
Yes someone reported this behavior a long time before.Maybe you can find his entry.I blieve he thought first his site was hacked or something like that.
Can´t remember but I´m quite sure it had nothing to do with NukeSentinel. |
|
|
|
|
dad7732
Worker
Joined: Mar 18, 2007
Posts: 224
|
| Posted:
Sat Jul 26, 2008 9:37 am |
|
I'll have a search at it and see what turns up again, didn't find anything the first time.
Cheers, Jay |
|
|
|
|
|
dad7732
Worker
Joined: Mar 18, 2007
Posts: 224
|
| Posted:
Sat Jul 26, 2008 9:55 am |
|
First of all I need to learn to spell better when searching, found the thread but nothing there really applies.
However, I think I found the culprit. One IP was responsible for hundreds of failed attempts to read my htaccess file.
User IP can no longer access my server.
Cheers, Jay |
|
|
|
|
|
warren-the-ape
Worker
Joined: Nov 19, 2007
Posts: 177
Location: Netherlands
|
| Posted:
Sat Jul 26, 2008 3:29 pm |
|
| dad7732 wrote: | However, I think I found the culprit. One IP was responsible for hundreds of failed attempts to read my htaccess file.
User IP can no longer access my server. |
Hmm? Could you explain that, it might be interesting for the rest of us  |
|
|
|
|
|
dad7732
Worker
Joined: Mar 18, 2007
Posts: 224
|
| Posted:
Sat Jul 26, 2008 3:43 pm |
|
No idea how it actually could affect the modules DB but the 100's of lines one after the other in the server log pertaining to "too many open files .htaccess pcfg_xxxxx" could have caused it. This is a common error in Apache when the server is not configured to handle enough open files. It's akin to a DoS attack. How this may have affected this particular incident I don't know but it did appear in the server log at about the same time as the modules wipe-out.
Cheers
Except for my server info and time, this is the actual entry from the error log for the particular domain affected:
| Code: | [client 117.195.224.61] (23)Too many open files in system: /.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
|
The count on that entry was exactly 512 lines and there is nothing wrong with the htaccess file. |
|
|
|
|
|
dad7732
Worker
Joined: Mar 18, 2007
Posts: 224
|
| Posted:
Sat Jul 26, 2008 4:24 pm |
|
Additional info forgot to add. Can't get into my admin at the moment because of where I am at work - cookies disabled - but I can get into my DB. The IP I listed above sure enough is in the blocked_ip table with a reason of "10" which means that NS actually caught it, but why after 512 lines? No idea at the moment what a reason 10 is but I suspect some sort of "harvest" maybe? Still why this "may" have done the dirty deed escapes me may just be a coincidence who knows.
Cheers |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7452
Location: Arizona
|
| Posted:
Mon Jul 28, 2008 5:27 am |
|
dad7732, the reason is that they were able to get that many requests in (yes, a DOS) before your timing was hit on the flood blocker.
And, yes, I believe you are right that we have found that if a site is so busy like this and *nuke is reading the modules directory but cannot complete that reading, it will deactivate everything after it. We have seen this before. |
|
|
|
|
|
dad7732
Worker
Joined: Mar 18, 2007
Posts: 224
|
| Posted:
Mon Jul 28, 2008 5:42 am |
|
Just so long as it's not a hack that gets through, no problem, that's what a backup is for ... 
Cheers |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7452
Location: Arizona
|
| Posted:
Mon Jul 28, 2008 5:48 am |
|
Unfortunately, DOS type attacks are very difficult to stop with application software. If someone floods you with a real "hack" attempt, that means two attacks are occurring at the same time. No-one can predict just how MySQL is going to behave or PHP or Apache. So, yes, that is what good backups are for...  For true DOS protection, it really takes a concerted effort by the site owner AND the site's host. |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
